Which versions of WWBN AVideo are affected by CVE-2026-47696?

WWBN AVideo 29.0 and earlier contains a wallet balance forgery vulnerability allowing any authenticated user to credit their account with arbitrary funds by bypassing payment validation, creating…. A patch is available.

Is there a public PoC exploit available for CVE-2026-47696?

Yes, a public proof-of-concept exploit is available for CVE-2026-47696. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-47696?

Within 24 hours: Disable the /plugin/AuthorizeNet/processPayment.json.php endpoint via web application firewall rule or uninstall the AuthorizeNet plugin entirely; audit all wallet balance changes from past 30 days for suspicious additions. Within 7 days: Implement transaction-level logging and automated alerts for any wallet.addBalance() calls; restrict AuthorizeNet plugin configuration access to administrator role only; require manual two-factor approval for wallet credits exceeding $100 or your organization's fraud threshold. Within 30 days: Upgrade to patched WWBN AVideo version once released (subscribe to WWBN security advisories); evaluate alternative payment processors with server-side transaction validation; conduct full forensic review of historical wallet transactions to quantify fraud exposure.

WWBN AVideo CVE-2026-47696

Q: What is the CVSS score of CVE-2026-47696?

CVE-2026-47696 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-33303 HIGH

Insufficient Verification of Data Authenticity (CWE-345)

2026-05-29 GitHub_M

GHSA-9392-pj54-qqf8

RCE PHP

7.1

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.1 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 29, 2026 - 14:31 vuln.today

CVSS changed

May 29, 2026 - 14:22 NVD

7.1 (HIGH)

DescriptionGitHub Advisory

WWBN AVideo is an open source video platform. In 29.0 and earlier, plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance() without validating any Authorize.Net transaction, webhook signature, hosted payment token, nonce, or server-side payment record. This allows any logged-in user to add arbitrary funds to their own AVideo wallet when the AuthorizeNet and YPTWallet plugins are enabled.

AnalysisAI

Wallet balance forgery in WWBN AVideo 29.0 and earlier allows any authenticated user to credit their own wallet with arbitrary funds by abusing an unfinished AuthorizeNet payment handler. The plugin/AuthorizeNet/processPayment.json.php endpoint hardcodes payment success and calls YPTWallet::addBalance() using an attacker-supplied amount with no validation of the underlying Authorize.Net transaction. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Delivery

Identify AuthorizeNet plugin enabled

Exploit

POST crafted amount to processPayment.json.php

Execution

Server hardcodes paymentSuccess=true

Persist

YPTWallet::addBalance credits attacker wallet

Impact

Spend or cash out fraudulent balance

Access

Delivery

Identify AuthorizeNet plugin enabled

Exploit

POST crafted amount to processPayment.json.php

Execution

Server hardcodes paymentSuccess=true

Persist

YPTWallet::addBalance credits attacker wallet

Impact

Spend or cash out fraudulent balance

Vulnerability AssessmentAI

Exploitation	Requires an authenticated AVideo user session (PR:L) and the target instance must have both the AuthorizeNet plugin and the YPTWallet plugin enabled, which exposes plugin/AuthorizeNet/processPayment.json.php and the addBalance() sink. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 4.0 scores this 7.1 with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N - network-reachable, low complexity, low privileges (authenticated user), no user interaction, and a high integrity impact with no confidentiality or availability effect, which accurately reflects a financial-integrity bug rather than a system-takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers a normal user account on a target AVideo site running the AuthorizeNet and YPTWallet plugins, then sends an authenticated POST to plugin/AuthorizeNet/processPayment.json.php with an inflated amount field. The server skips the unimplemented Authorize.Net charge, treats $paymentSuccess as true, and YPTWallet::addBalance() credits the attacker's wallet, which can then be spent on paid content, withdrawn, or used to defraud the operator. …
Remediation	No vendor-released patched version was identified at time of analysis; consult GHSA-9392-pj54-qqf8 at https://github.com/WWBN/AVideo/security/advisories/GHSA-9392-pj54-qqf8 for the upstream fix status and upgrade once a tagged release supersedes 29.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable the /plugin/AuthorizeNet/processPayment.json.php endpoint via web application firewall rule or uninstall the AuthorizeNet plugin entirely; audit all wallet balance changes from past 30 days for suspicious additions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2026-47696 vulnerability details – vuln.today

Back

WWBN AVideo CVE-2026-47696

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code